An Exploratory Examination of Organizational Insiders’ Descriptive and Normative Perceptions of Cyber-relevant Rights and Responsibilities

Abstract Within the field of organizational cybersecurity, much attention has been given to insider compliance and non-compliance with the information security policies (ISPs) set forth by their organizations. Most of these efforts apply theoretical foundations based on self-interest, personal incentive, and cost-benefit calculations to explain compliance and non-compliance motives. We take a different approach to understand insiders’ ISP compliance by exploring how insiders view their rights and responsibilities related to security-relevant behaviors. Relying on Deonance Theory, we assess the extent to which insiders categorize a wide variety of behaviors that are or can be implemented in corporate ISPs according to several deontic conditional operators (e.g., nature of perceived requiredness). These operators form the basis for a rights and responsibility framework. We find that out of 38 unique security-relevant behaviors, 22 exhibit one or more forms of potential moral “gray area” patterns. Among these patterns, significant differences between insiders’ descriptive (i.e., “is”) and normative (i.e., “should be”) assessments of rights and responsibilities perceptions are particularly interesting. Our findings shed additional light on insiders’ compliance with organizational ISPs when those ISPs place increased restrictions on what the insider must or must not do.